Advanced WordPress Security Tips

We’ve previously discussed WordPress Security Tips, you should review the information contained within that post, before completing our Advanced WordPress security tips guide.

There’s a myth doing the rounds that suggests WordPress itself is not secure. Let me start by saying that’s not the case. WordPress is by far the most popular CMS in use on the internet and because of that, anyone who wants to try and exploit a website, has a vested interest in exposing any vulnerabilities in WordPress. To combat this. Automattic, the company behind WordPress and WordPress plugin developers are constantly releasing updates that patch identified exploits. If you have the latest version of WordPress and all your plugins, you can be confident that any identified expoits have been patched. For this reason alone, when updates are released you should put them in place as soon as possible (after testing of course with a WordPress staging site!).

Updating your WordPress site and plugins is the first step to preventing hackers exploiting your site. It’s important to note that this does not mean that your site is 100% secure, there are further weak elements that need to be hardened, in order to deter any intruders. Think of it like this, most of us have a fence, wall or hedge around our home. A vulnerability in WordPress can be thought of as a hole in the perimeter (be that a fence, wall or hedge!). Updating WordPress and its plugins is similar to fixing the holes in the perimeter fence but there are still weak points. The gate can be opened, the wall can be climbed… you get the idea!

What we need is a series of additional security measures, that by themselves wouldn’t deter an intruder but together probably would. Back to the home scenario, we can put a lock on the gate, cameras that cover the wall, gate and any other vulnerable parts of the home and so on. Running a website is no different in this respect. The Advanced WordPress Security Tips guide below, identifies some weak points and details how you can secure these.

Log all activity

The first step to improving security is logging all activity on your site so that you can act upon real information rather than guessing what is happening on your site. We recommend you review this plugin to do so – https://wordpress.org/plugins/wp-security-audit-log/

Use the latest PHP version

Our previous post titled WordPress How to Upgrade to PHP 7.2 safely detailed the reasons why you should use the latest version on PHP. In summary, it’s more secure and offers improved performance.

Upgrading to the latest version should be fairly simple, as long as you have updated both your main WP install and the plugins. To do so you should following this guide.

Always use a strong and unique username and password.

You could argue that this shouldn’t be included in an Advanced WordPress Security Tips guide, but you’d be surprised just how many WordPress admins use the same easy to crack password for all sites that require authentication.

Best practice is to use a randomly generated password together with a password manager. Some popular password management apps to help with this are 1Password, LastPass, BitWarden and KeePass.

Lock down WordPress admin area

Locking down your WP login page is a key element in securing your WordPress install, by doing so it makes it more difficult for an attacker to brute force your admin area.

There are a few ways that you can achieve this.

If you have a static IP address, you should first of all lock down the admin area to just your IP address, this way only users on your network can access the page. This is as simple as adding the following to the top of your htaccess file in the root of your WP install.

*** MAKE SURE YOU REPLACE 0.0.0.0 WITH YOUR STATIC IP ADDRESS, IF YOU DONT KNOW THIS YOU CAN GET FROM HERE***

# Restrict access to /wp-config.php

Order Deny,Allow
Deny from all
Allow from 0.0.0.0


# Restrict access to /wp-admin

Order Deny,Allow
Deny from all
Allow from 0.0.0.0

Put in place two factor authentication.

Add a ReCaptcha checkbox on your login page

Limit the number of login attempts

Implement https protection

The easiest and quickest way to improve security on your login page is by implementing HTTPS. For those that don’t know, https is a secure way to send data between a web server and a web browser.

There are two steps to this, firstly you need to ensure that you have an SSL certificate installed and then you need to set up a redirect so that all traffic is served over https

Harden the wp-config.php file

wp-config.php is the main configuration file for your WordPress install. If it is compromised an attacker has full access to your WP site and can do what they wish.

Add the following to your htaccess file to deny access to anyone searching for it

# Restrict access to wp-config.php

Order Allow,Deny
Deny from all

You should also add the following lines to your wp-config.php file to prevent file editing within WordPress:

**** NOTE THIS SHOULD BE INCLUDED BEFORE THE require_once LINE ****

## Disable file editing in WP admin area
define('DISALLOW_FILE_EDIT', true);

Disable XML-RPC

XML-RPC has become an increasingly large target for brute force attacks. There are a few WordPress plugins like Jetpack that rely on XML-RPC, but a majority of people out there won’t need this and it can be beneficial to simply disable access to it.

To disable, simply add this to the htaccess file in the root of your WP install

*** MAKE SURE YOU REPLACE 0.0.0.0 WITH YOUR STATIC IP ADDRESS, IF YOU DONT KNOW THIS YOU CAN GET FROM HERE***

# Restrict WordPress xmlrpc.php requests

Order Deny,Allow
Deny from all
Allow from 0.0.0.0

Harden DB Security

Your Database is key to your websites. It stores all the information that is needed for your website to function. Needless to say, this should be locked down as much as possible.

– remote access should be disabled if possible, so that only the server hosting your website can connect to it.
– you should set a secure, unique password for your sql user
– change the WP database prefix (guide from wpmudev here)

Review File permissions

The recommended permission scheme should be:

Folders – 750
Files – 644

It’s important that you avoid having any file or directory set to 777.

To edit file permissions, you can use your favourite FTP software.

DDoS Protection

DDoS is short for Distributed Denial Of Service. The primary purpose of a DDoS attack is to overwhelm your website/server with traffic so that the server becomes unresponsive.

In order to add an additional layer of protection over and above what your hosting provider has in place, you should consider using a service like Cloudflare or Securi

Summary

If you’ve put in place all the recommended steps above, you’ll now have a more secure WordPress site. A word of caution, you should always assume that your site is vulnerable, and regularly review logs and activity in order to patch any exploits.

If you need any help implementing the above, we’d be happy to advise – get in touch with our team via sales@clook.net or 03300 885 250.